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ABSTRACT 


The roles and responsibilities for cybersecurity within the national government 
are not clearly delineated. This thesis asks if the current allocations of cybersecurity 
responsibilities to DHS are optimal for achieving national cybersecurity objectives. To 
answer this question, the evolution of cybersecurity policies within the United States is 
evaluated, looking specifically at DHS. Additionally, FBI, NSA/DOD, and DNI 
cybersecurity roles are identified. The Sony Pictures Entertainment cyber-attack is 
examined as a case study for how a real-world event is handled, and to determine the pros 
and cons of the current allocation of responsibilities. The evidence from the Sony cyber¬ 
attack suggests that the Secret Service, under DHS, is not ready to conduct a proper 
investigation for a cyber-attack but that the FBI is. This thesis identifies numerous 
responsibility allocation changes that would streamline cybersecurity at the national 
level. The main recommendations are that DHS should be the lead agency for improving 
and strengthening cybersecurity, while the FBI should be the lead agency for 
investigating cyber-attacks, unless the attack is against one of the people that the Secret 
Service protects, in which case they should become the lead investigator with direct 
support from the FBI. 
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I. INTRODUCTION 

A. RESEARCH QUESTION 

With increasing attention on the problem of cybersecurity as a critical aspect of 
homeland security, many agencies of the federal government, including the Department 
of Homeland Security (DHS), have established offices that focus on cybersecurity. It is 
not yet clear what the “lanes in the road” are for government agencies when it comes to 
addressing cyber threats. This thesis asks the question: Are the current allocations of U.S. 
cybersecurity responsibilities to DHS optimal for achieving U.S. national cybersecurity 
objectives? To answer the question this thesis evaluates the evolution of DHS and its role 
in cybersecurity, along with a review of the cybersecurity roles of the Federal Bureau of 
Investigation (FBI), the National Security Agency (NSA), Department of Defense 
(DOD), and the Director of National Intelligence (DNI). The 2014 Sony Pictures 
Entertainment hack is used as a real-world event case study, to show the pros and cons of 
the current allocation of responsibilities. 

B. SIGNIFICANCE 

Fifty years ago, cybersecurity was not an issue. With the evolution of technology 
and the interconnectedness of the cyber world, it is now at the forefront of national 
security. Cyberspace provides a common ground for advancing and developing 
technology that reaches across countries and serves as a link to share ideas that can either 
benefit or harm the world. The extensive reach of cyberspace that is only lightly 
regulated can serve as an entry point for adversaries that puts at risk the nation’s 
information system and the critical infrastructures that are linked to it. 

In the words of the U.S. Comprehensive National Security Initiative, “President 
Obama has identified cybersecurity as one of the most serious economic and national 
security challenges we face as a nation, but one that we as a government or as a country 
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are not adequately prepared to counter.”* This is why multiple agencies have 
cybersecurity divisions, from the Department of Homeland Security to the Department of 
Defense. The roles for cybersecurity are blurred, which causes overlapping within the 
federal government, often causing multiple departments and agencies to respond, 
committing resources to the same issues with little or no interagency communication. At 
other times, no agency responds to a cyber threat, since it is unclear which agency is 
responsible. The overlap also wastes resources; if two or more agencies are preparing or 
attempting to address an issue, then critical funds are being depleted from many areas 
instead of the appropriate allocation. Additionally, if agency responsibilities were clear 
they could then make sure they have the right personnel for the job as opposed to the 
right personnel being spread across multiple agencies. Overlapping responsibility can 
cause increased costs, inter-departmental fighting, duplication, loss of the big picture, and 
failure to accomplish the task. 

C. LITERATURE REVIEW 

The following literature review is intended to provide background information 
regarding the research problem: cybersecurity “lanes in the road” for DHS. This review 
includes sources from the government, academia, and private sector. 

Advances in technology have had an impact on everyone’s life. A smartphone 
that is only a little larger than a deck of cards can “email, text and talk to each other, take 
pictures, get directions, watch television, control home appliances, read the news, play 
games and manage schedules.While this new technology has helped people in many 
ways, it has also created a new route for crime and increased the need for security. 
Former NS A Director Mike McConnell says, “There are two kinds of organizations: 
those that have been penetrated and are aware, and those that have been penetrated and 
are unaware.”^ Going along with McConnell, DNI Clapper feels that cyber now poses a 

^ Executive Office of the President of the United States, The Comprehensive National Cybersecurity 
Initiative, accessed August 21, 2015, https://www.whitehouse.gov/issues/foreign- 
policy/cybersecurity/national-initiative. 

2 Partnership for Public Service, and Booz Allen Hamilton, “Cyber In-Security 11: Closing the Federal 
Talent Gap, April 2015, 1, http://ourpublicservice.org/publications/viewcontentdetails.php?id=504. 

^ Partnership for Public Service, and Booz Allen Hamilton, “Cyber In-Security 11.” 
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larger threat then terrorism.^ The main issue is the number of cyber-attacks that happen. 
Most of those cyber-attacks are at the low or moderate level of skill, but the vast number 
of attacks is what causes the problem.^ 

In the paper, “Importance of Cyber Security,” Rajesh Kumar Goutam argues that 

cybercrime is increasing throughout the world and therefor increases the need for 

cyber security. 6 The International Telecommunication Union (ITU) agrees with the need 

for cybersecurity and holds that “many end-users ... lack the awareness and resources to 

manage cyber-security risks adequately.”^ This is mitigated by capacity building for 

cybersecurity, and ensuring that a culture of cybersecurity is present at every level.^ The 

idea of needing cybersecurity alone is not universal, and Ulrik Franke and Joel 

Brynielsson identify that not only is cybersecurity important but cyber situational 

awareness is of greater importance.^ Situational awareness is “the perception of the 

elements in the environment within a volume of time and space, the comprehension of 

their meaning and the projection of their status in the near future.”!*^ Cyber situational 

awareness is situational awareness but applied to cyberspace. Both see situational 

awareness as being above cybersecurity, and that with enough situational awareness, 

12 

cybersecurity would become an afterthought. 


^ Aaron Boyd, “DNI Clapper; Cyber Bigger Threat Than Terrorism,” Federal Times, February 4, 

2016, http://www.federaltimes.com/story/government/cybersecurity/2016/02/04/cyber-bigger-threat- 
terrorism/79816482/. 

^ Ibid. 

6 Rajesh Kumar Goutam, “Importance of Cyber Security,” International Journal of Computer 
Applications 111, no. 7 (2015), http;//research.ijcaonline.org/volumel 1 l/number7/pxc3901250.pdf. 

^ Eric Lie, Rorry Macmillan and Richard Keck, “Cybersecurity: The Role and Responsibilities of an 
Effective Regulator” (draft background paper, International Telecommunications Union, Beirut, Lebanon, 
November 2009) 11, http://www.itu.int/ITU-D/treg/Events/Seminars/GSR/GSR09/doc/GSR-background- 
paper-on-cybersecurity-2009.pdf. 

8 Ibid. 

^ Ulrik Eranke and Joel Brynielsson, “Cyber Situational Awareness: A Systematic Review of the 
Literature,” Computers and Security 46 (2014): doi: 10.1016/j.cose.2014.06.008. 

10 Ibid. 

11 Ibid. 

12 Ibid. 
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Cybersecurity at the international level is one of the main focuses for many states. 
Some states are working on lowering the burden of proof for state activity in cyber 
activities in order to shape their cybersecurity in a more defensive or military manner. 13 
While some states are working on increasing their military national cybersecurity other 
states are working on increasing the international thresholds for cyber use of force and 
cyber armed attacks, so that cyber espionage and other forms of cyber activities can be 
undertaken without fear of international retaliation, 

Some corporate leaders feel that it is their responsibility to protect their company 
and customers from cyber threats that originate from within the United States and the 
United States government should not deal with internal cybersecurity. The federal 
government, according to this view, should only be concerned with foreign states 
conducting cyber-attacks.^^ On the other hand, the Center for Strategic and International 
Studies Commission on Cybersecurity for the 44* Presidency feels that, “there are 
issues—consumer safety or national defense—where the market response will always be 
inadequate.” From this statement it can be seen that the idea of individual companies 
providing their own cybersecurity with no regulation or input from the government is not 
seen as a good answer. To help cybersecurity for the government and private sector 
information sharing is vital. The sharing of cyber intelligence can help or hinder 
cybersecurity across the board and currently that sharing still needs better development in 
order to be useful, 


13 Scott J. Shackelford and Richard B. Andres, “State Responsibility for Cyber Attacks: Competing 
Standards for a Growing Problem,” Georgetown Journal of International Law 35, no. 1 (2003): 17, 
http://www.lexisnexis.com.libproxy.nps.edu/lnacui2api/api/versionl/getDocCui?lni=53YF-4BH0-02C9- 
F0KV&csi=270944,270077,11059,8411&hl=t&hv=t&hnsd=f&hns=t&hgn=t&oc=00240&perma=true. 

14 Ibid. 

13 Suzanne C. Nielsen, “Pursuing Security in Cyberspace: Strategic and Organizational Challenges,” 
Orbic 56, no. 3 (2012): 348, http://www.sciencedirect.com.libproxy.nps.edu/science/article/pii/ 
S0030438712000300. 

16 Ibid. 

1^ Thomas D. Wagner, “Sharing Cyber Intelligence in Trusted Environments: A Literature Review,” 
Birmingham City University, accessed on May 20, 2016, 5, https://www.bcu.ac.uk/ 
Download/Asset/633bd91b-4d73-e511-80ce-005056831842. 
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Secretary of Defense Robert Gates has said he believes the Pentagon does not 
have enough people with the right skills in order to address cybersecurityd^ In 2009, the 
report, “Cyber In-Security: Strengthening the Federal Cybersecurity workforce,” written 
by the Partnership for Public Service and Booz Allen Hamilton, found that Secretary 
Gates was correct and that the government was having issues with recruitment and 
retention of skilled cybersecurity personneld^ In 2015, the next report from the 
Partnership for Public Service and Booz Allen Hamilton, “Cyber In-Security II: Closing 
the Federal Talent Gap,” found that the findings in their report from 2009 were still 
accurate for the most part.^o The government is on the right path for recruiting and 
retaining cybersecurity personnel, the momentum for the changes required is almost non¬ 
existent though. The federal government is not a competitive employer when compared 
to the private sector for cyber-trained personnel.^i 

Who should be in charge of cybersecurity is widely debated. Melissa Hathaway, 
formerly the National Security Council senior director for cyberspace, argues that the 
White House needs to take the lead for cybersecurity efforts and needs to put out more 
specific guidance for the agencies to follow .22 Hathaway also argues that the agencies 
have too many overlapping authorities for cybersecurity, and that they do not see the 
large picture needed to meet the challenges for the country.23 A single agency not 
understanding the larger picture could have disastrous effects on cybersecurity, if they 
think the right actions are being taken but those actions do not meet the current objectives 
or threats. 


Partnership for Public Service, and Booz Allen Hamilton, “Cyber In-Security: Strengthening the 
Federal Cybersecurity Workforce,” July 2009, 2, https://www.boozallen.com/content/dam/ 
boozallen/media/file/CyberIn-Security_2009.pdf. 

19 Ibid. 

20 Partnership for Public Service, and Booz Allen Hamilton, “Cyber In-Security II,” 1. 

21 Ibid. 

22 Jaikumar Vijayan, “Cybersecurity Official Says White House should Lead," Computerworld 43, no. 
16 (2009): 6, http://libproxy.nps.edu/login?url=http://search.proquest.com/docview/ 
34185659?accountid=12702. 

23 Ibid. 
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Arben Asllani, Charles Stephen White, and Lawrence Ettkin have a completely 
different view of how cybersecurity should be thought of and handled. They feel that 
cybersecurity should be treated as a public good, such as public safety.24 They see no 
legal difference between the government ensuring safety on the street or in food 
processing to ensuring safety in cyberspace.25 Treating cybersecurity as a public good 
would justify the government, at all levels, to improve and regulate cybersecurity. The 
authors provide six different aspects of how the government should provide 
cybersecurity. First, public education on cybersecurity needs to be taught at schools to 
improve general understanding of its importance. Second, a better framework for fighting 
cybercrime through the criminal justice system needs to be established. Third, once that 
framework is implemented then cyberterrorism needs to be fought and the perpetrators 
brought to justice. Fourth, information security needs to be regulated for who has access 
to personal information that is stored in electronic form. Fifth, the Internet needs to be 
regulated for content, but ensuring that the First Amendment is not violated. Finally, the 
pre-established patent, copyright, and trademark laws need to be better enforced on the 
Internet. If the government starts treating cybersecurity as a public good and does the six 
things listed, then our nation’s cybersecurity efforts will remain ahead of our 

adversaries.26 

According to Paul Kurtz, the former executive director of the Cyber Security 
Industry Alliance, the United States issue with forward progress for cybersecurity is that 
there is a lack of leadership and therefor guidance on what to do and when to do it .22 
Furthering the idea that nobody knows who is in charge of cybersecurity is Senator 
Barbara Mikulski. She argues that the nation needs “clarification of who is in charge” for 


24 Arben Asllani, Charles Stephen White, and Lawrence Ettkin, “Viewing Cybersecurity as a Public 
Good: The Role of Governments, Businesses, and Individuals,” Journal of Legal, Ethical and Regulatory 
Issues 16, no. 1 (2013): 9, http://libproxy.nps.edu/login?url=http://search.proquest.com/docview/ 

1370351181 ?accountid= 12702. 

26 Ibid. 

26 Ibid. 

22 “White House, Congress Flunk on Cyber Security, CSIA Says,” TechWeb, December 14, 2005, 1, 
http://libproxy .nps.edu/login?url=http://search.proquest.com/docview/201509659?accountid= 12702. 
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cybersecurity.28 Mark D. Young looked at the entire government focusing on DOD for 
cybersecurity and argued that the allocation of resources is not the problem; instead it is 
the lack of specific doctrine. He discusses the top-down approach in government with the 
White House at the top putting out requirements and then the departmental level adds to 
those requirements and so on. His main argument is that the established policy is not 
specific enough. A cyber-doctrine is needed to establish what the goal is enabling groups 

9Q 

to train and build a skilled cyber force. 

There are multitudes of ideas for the issue of who should be in charge of U.S. 
national cybersecurity efforts. The argument that cybersecurity responsibility does not 
fall to one agency but is the responsibility of everyone is commonly heard. This concept 
relates to the idea that no one entity can secure cyberspace without the help of everyone 
that has access to that system. The requirement for collaboration is seen numerous times 
in the literature; many experts argue that everyone has a role to play in cybersecurity, 
from an individual person all the way up to the government. Christine de Souza, for 
example, argues that no single agency should take the lead on cybersecurity but that all 
government agencies and private industries should take responsibly for their own 
cybersecurity. With each entity responsible for their own cybersecurity, collaboration 
between agencies would play a vital role for the nation’s cybersecurity. A national 
cybersecurity effort can only be achieved when everyone involved works together. The 
different communities need to establish a framework for the public, private, and 
individual levels, enabling them to collaborate on furthering cybersecurity efforts.^i 
According to Melissa E. Hathaway, no cybersecurity entity has been keeping up with the 


28 John Curran, “U.S. Should Clarify Leadership Roles in Cybersecurity, Sen. Mikulski Says,” 
Cybersecurity Policy Report, August 2, 2010, 1, http;//libproxy.nps.edu/login? 
url=http://search.proquest.com/docview/746442266?accountid=12702. 

29 Mark D. Young, “National Cyber Doctrine: The Missing Link in the Application of American 
Cyber Power,” Journal of National Security Law and Policy 4, no. 173 (2010), http://jnslp.com/wp- 
content/uploads/2010/08/12_Y oung.pdf. 

20 de Souza, “National Cyber Security.” 

21 Eric Lie, Rorry Macmillan and Richard Keck, “Cybersecurity: The Role and Responsibilities of an 
Effective Regulator” (draft background paper, International Telecommunications Union, Beirut, Lebanon, 
November 2009) 11, http://www.itu.int/ITU-D/treg/Events/Seminars/GSR/GSR09/doc/GSR-background- 
paper-on-cybersecurity-2009.pdf. 
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ever changing and evolving threats in cyberspace.32 The academic side is vitally 
important to every aspect of cybersecurity. Experts argue the government should 
encourage the education of cybersecurity to professionals in order to meet the ever- 
expanding demand for properly trained personnel in both the public and private sectors.33 

According to a Department of Justice Office of the Inspector General audit of FBI 
cyber investigation capabilities, 36% of cyber agents feel they do not have the 
appropriate level of cyber knowledge to conduct investigations.34 The Deputy Assistant 
Director of the FBI’s Cyber Division, Steven Chabinsky, argues that the audit did not 
take into account that the FBI agents feel that anything less than 100% is not enough, so 
it makes sense that they feel they do not know enough about cyberspace.35 Going along 
with this the Director of research for the computer security training company, SysAdmin, 
Audit, Network, and Security Institute, says that the FBI has the best interagency 
cooperation program for cybersecurity in the entire government, and that if there are any 
shortcomings it is due to the volume of cases they handle and not because of their 
personnel.36 The Director of the FBI, James Comey, feels that the Secret Service’s cyber 
investigation mission and responsibilities should fall under the FBI.37 Comey feels that it 
is a waste of resources to have both the Secret Service’s electronic crimes taskforce and 
the FBI’s cyber taskforce, and that there should only be the FBI’s.38 

In the article, “Who Should Fead U.S. Cybersecurity Efforts?” Kevin Newmeyer 
analyzes five different options for the government to improve leadership of 
cybersecurity.39 Those five options are: establishing a National Coordinator within the 

32 Melissa E. Hathaway, “Leadership and Responsibility for Cybersecurity,” Georgetown Journal of 
International Affairs, Special Issue 2012, http;//belfercenter.ksg.harvard.edu/files/7 l-80-hathaway.pdf. 

33 Lie, “Cybersecurity,” 11. 

34 Mathew J. Schwartz, “FBI Defends Cyber Investigation Skills,” Information Week no. 1300 (2011): 
19, http;//libproxy.nps.edu/login?url=http://search.proquest.com/docview/871111525?accountid=12702. 

35 Ibid. 

36 Ibid. 

37 Committee on Oversight and Government Reform, United States Secret Service: An Agency in 
Crisis, H.R. Rep 114, 190 (2015). 

38 Ibid. 

39 Kevin P. Newmeyer, “Who Should Lead U.S. Cybersecurity Efforts?,” Prism 3, no. 2 (2012). 
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White House, placing DOD in charge, creating a new cabinet level cyber department and 
placing it in charge, creating a Director of Cybersecurity, or placing DHS in charge. 
The argument for establishing a National Cybersecurity Coordinator is not widely 
supported, but the other four options have a support base behind them. 

Placing DOD in charge of the national cybersecurity efforts is one of the options 
that Newmeyer proposes.^i This could be a beneficial arrangement since DOD already 
defends their own systems and is at the leading edge of advancing cybersecurity 
methods.42 Placing the DOD in charge would also pose problems, mainly due to the 
Posse Comitatus Act, which restricts DOD domestic law enforcement activity.43 August 
G. Roesener, Carl Bottolfson, and Gerry Fernandez feel that DOD should have the lead 
for domestic cyber-attacks, and for the defensive and counteroffensive responses in 
support of any DOD combatant commander, or U.S. national level agency.44 Agreeing 
with their assessment is Admiral James A. Winnefeld Jr., who believes that DOD 
cybersecurity is at the forefront of the field, but could be better. In order for DOD 
cybersecurity to reach its full potential it needs to have better integration across all the 
branches and contractors, and it needs to further its culture of cybersecurity.45 The 
integration portion can be achieved through increasing the coordination and cooperation 
for cybersecurity throughout DOD. The culture of cybersecurity is important so that not 
only those individuals who are charged with cybersecurity are thinking about it, but also, 
everybody is thinking about it every time they interact with a cyber component.46 
Secretary of Defense Ash Carter feels that having the same person in charge of both NSA 


40 Newmeyer, “Who Should Lead.” 

41 Ibid., 121. 

42 Ibid. 

43 Ibid. 

44 August G Roesener, Carl Bottolfson, and Gerry Fernandez, “Policy for U.S. Cybersecurity,” Air & 
Space Power Journal 28, no. 6 (2014), 38-39, http://libproxy.nps.edu/login? 
url=http://search.proquest.com/docview/1652188677?accountid= 12702. 

45 Adm. Winnefeld’s Remarks at the West Point Cyber Conference, Joint Chiefs of Staff, May 14, 
2015, http://www.jcs.mil/Media/Speeches/tabid/3890/Article/589135/adm-winnefelds-remarks-at-the-west- 
point-cyber-conference.aspx. 

46 Ibid. 
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and USCYBERCOM is the correct answerAdmiral Rogers, who is serving as the 
Commander USCYBERCOM and the Director NSA, feels that the goal is not for security 
over privacy or vice versa but that it is possible to ensure privacy and also ensure 
protection at the same timeIn order to improve the cybersecurity for DOD, the 
Pentagon is holding a “Hack the Pentagon” event for qualified participants to attempt to 
hack into a portion of the Pentagon’s network.49 

Kevin Newmeyer’s next option is to create a new cabinet level agency or 
department that would be in charge of national cybersecurity Establishing a new 
agency for cybersecurity could fix many of the problems in the current system.^i 
Elizabeth A. Myers talks about cybersecurity as a team sport, that the approach should be 
whole-of-government. She goes on to say that the best alternative would be to create a 
national level cyberspace operations center. She recommends that a Cyberspace 
Operations Center should be established at the cabinet level, similar to how the National 
Counter-Terrorism Center was established; that way the head of the center would have a 

CO 

direct link to the President. Additionally, Joeli R. Eield argues that creating a new 
cybersecurity agency is the only alternative. Eield writes that the established agencies do 
not coordinate with respect to cybersecurity and creating a new agency that is solely 
responsible for the entire government’s cybersecurity would eliminate that problem. Eield 


4^ Remarks by Secretary Carter to U.S. Cyber Command Workforce at Fort Meade, Maryland, U.S. 
Department of Defense, March 13, 2015, http;//www.defense.gov/News/News-Transcripts/Transcript- 
View/Article/607024. 

48 Karen Parrish, “Privacy or Security in Cyber? Both, NSA Chief Says,” U.S. Department of Defense, 
March 2, 2016, http://www.defense.gov/News-Article-View/Article/684015/privacy-or-security-in-cyber- 
both-nsa-chief-says. 

49 Statement by Pentagon Press Secretary Peter Cook on DOD’s “Hack the Pentagon” Cybersecurity 
Initiative, U.S. Department of Defense, March 2, 2016, http://www.defense.gov/News/News- 
Releases/News-Release-View/Article/684106/statement-by-pentagon-press-secretary-peter-cook-on-dods- 
hack-the-pentagon-cybe. 

50 Newmeyer, “Who Should Lead,” 121. 

51 Ibid. 

52 Elizabeth A. Myers, “Cyber as a ‘Team Sport’: Operationalizing a Whole-of-Government Approach 
to Cyberspace Operations” (master’s thesis. Joint Forces Staff College), http://www.dtic.mil/dtic/tr/ 
fulltext/u2/a545638.pdf. 


10 



argues that if in the future when offensive cyber action is required, the single agency 

c-i 

model could evolve into having offensive capabilities. 

Placing DHS in charge is an attractive solution, since DHS is already set up to 
coordinate with other government agencies and private industries for cybersecurity.In 
2013, Secretary of Homeland Security Janet Napolitano told Congress that a “cyber 9/11” 
is imminent and recommended that they pass legislation to govern cybersecurity 

Senator Tom Coburn feels that DHS’s plan to protect critical infrastructure from 
cyber-attacks is too vague. Supporting this is a federal report published in January 2015 
that says DHS cybersecurity is “unlikely to protect us.”^^ Both the Senator’s thoughts and 
the federal report point out problems but do not offer any solutions or ways to improve 
the situation. The Government Accountability Office conducted research and found that 
DHS does not have any metrics for measuring if their cybersecurity programs and 
initiatives are effective.The recommendation is to establish those metrics, conduct a 
review of their cybersecurity following the metrics and make changes as necessary.^8 
Matthew H. Fleming and Eric Goldstein analyzed the authorities and efforts of DHS for 
securing cyberspace. They identified that the authorities granted to DHS currently are not 
enough to fulfill their mission for cybersecurityAccording to DHS, “cybersecurity is a 


Joeli R. Field, “Cybersecurity; Division of Responsibility in the U.S. Government,” National 
Security Cyberspace Institute, September 18, 2010, http;//www.nsci-va.org/CyberReferenceLib/2010-09- 
18-Cybersecurity-Division%20of%20Responsibility%20in%20the%20US%20Government- 
Joeli%20Field.pdf. 

54 Ibid., 120. 

55 “Preventing 9/11 in the Cyber World,” Information Management 47, no. 3 (2013): 18, 
http;//libproxy.nps.edu/login?url=http://search.proquest.com/docview/1430501590?accountid=12702. 

56 Violet Blue, “New Report: DHS is a Mess of Cybersecurity Incompetence,” ZDnet, January 14, 
2015, http://www.zdnet.com/article/new-report-the-dhs-is-a-mess-of-cybersecurity-incompetence/. 

5^ Gregory C. Wilshusen, Critical Infrastructure Protection: Measures Needed to Assess Agencies’ 
Promotion of the Cybersecurity Framework (GAO-16-152) (Washington, DC: U.S. Government 
Accountability Office, 2015), 2, http;//www.gao.gov/assets/680/674300.pdf. 

58 Ibid. 

59 Matthew H. Fleming, Eric Goldstein and Robert Tuohy, “An Analysis of the Primary Authorities 
Supporting and Governing the Efforts of the Department of Homeland Security to Secure the Cyberspace 
of the United States,” Homeland Security Studies and Analysis Institute, May 24, 2011, 
http;//www.homelandsec urity.org/docs/reports/MHE-and-EG-Analysis-of-authorities-supporting-efforts-of- 
DHS-to-secure-cyberspace-2011 .pdf. 
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shared responsibility,” with each person, business, and agency sharing a part of it.^® The 
Department of Energy agrees with DHS’s statement that cybersecurity is important at 
every level and believes that every individual Internet user should have a basic 
understanding of cyber threats as well as the importance of avoiding them.^i 

The Cyber Security Industry Alliance argues that there needs to be a position 
within DHS that has the sole role of being a liaison between the government and private 
industry.62 Currently the assistant secretary for infrastructure protection handles this and 
that person is spread too thin with their responsibilities to handle this role.63 Once a 
liaison position is established they should coordinate between the government and private 
industry to share more information and establish plans for cyber disruptions.64 

The Sony Pictures Entertainment cyber-attack, which will be examined in Chapter 
IV, was a major event where another government attacked a private U.S. company. 
During its investigation the EBI linked the attackers to North Korea.65 Sony decided to 
cancel the release of the movie The Interview, due to the threats from the hackers. Once 
North Korea was identified President Obama said that Sony should not have pulled the 
movie saying, “We cannot have a society in which some dictator someplace can start 
imposing censorship here in the United States.”66 According to President Obama the 
main goal of the attack was for North Korea to impose restrictions on our freedom of 


60 Cybersecurity: A Shared Responsibility, U.S. Department of Homeland Security, October 2013, 
https://www.dhs.gOv/blog/2013/10/18/cybersecurity-shared-responsibility. 

61 Cybersecurity Is Every Citizen’s Responsibility, U.S. Department of Energy, October 2013, 
http://energy.gov/articles/cybersecurity-every-citizens-responsibility. 

62 Larry Greenemeier, “Eederal Role in Ensuring Cybersecurity Isn’t Clear,” Information Week no. 
1023, January 24, 2005,41, 

http://libproxy .nps.edu/login?url=http://search.proquest.com/docview/229160173 ?accountid= 12702. 

63 Ibid. 

64 “Cyber-Security Group Pushes 12-Point Plan on White House, TechWeb, December 8, 2004, 1, 
http://libproxy .nps.edu/login?url=http://search.proquest.com/docview/201528422?accountid= 12702. 

63 Kristina Daugirdas and Julian Davis Mortenson, “United States Responds to Alleged North Korean 
Cyber Attack on Sony Pictures Entertainment,” The American Journal of International Law 109, no. 2 
(2015): 420, http://libproxy.nps.edu/login?url=http://search.proquest.com/docview/ 

1717302701 ?accountid= 12702. 

66 Ibid. 
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speech.As a result, Sony did release the movie on its original release date. Seth Rogen, 
the lead actor in the movie, posted on Twitter, “The people have spoken! Freedom has 
prevailed! Sony didn’t give up! The Interview will be shown at theatres willing to play is 
on Xmas day!”^^ 

A few members of Congress publicly called the cyber-attack an act of war and 
cyberterrorism, but the White House refrained from using these terms.^9 According to 
Matt Bogaard, from Bogaard Group Inti, a security consulting firm, the main issue with 
cybersecurity is the “people part” but the Sony cyber-attack is pointing out to everyone 
just how important cybersecurity is.^® There is a group of people, primarily hackers 
themselves, who feel that North Korea might not be responsible. The main evidence 
leading back to North Korea was Internet Protocol addresses, and according to this group 
of people, those are easy to fake.^i 

Secretary of Homeland Security, Jeh Johnson, hopes that other U.S. companies 
will see the Sony cyber-attack as a “wake-up call to strengthen their cybersecurity 
protections. He says that every company should see look at their cybersecurity and 
ensure that the best practices are being followed.^3 Secretary Johnson goes on to offer 
help from DHS and other federal agencies for increasing their company’s 
cybersecurity.^4 Going along with this DHS Deputy Under Secretary for Cybersecurity 
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Ted Johnson, “Hack Aftermath,” Variety 327, no. 11 (2015): 44, http://libproxy.nps.edu/login? 
url=http://search.proquest.com/docview/1675636219?accountid= 12702. 

“Is Kim Jong Un Innocent?; Cyber-Security,” The Economist 414, no. 8919 (2015): 22, 
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and Communications Phyllis Schneck feels that every cyber-attack should be seen as a 
wake-up call.’^^ 

Despite the considerable amount of literature that exists examining cyber threats, 
there is little discussion about the specific “lanes in the road” for DHS and other agencies 
in regards to cybersecurity. This thesis examines those lanes in the road, and how the 
assignment of responsibilities (or lack of assignment) affects national cybersecurity. 

D. EXPLANATIONS AND HYPOTHESES 

With the growing importance of cybersecurity, the government is working on 
getting ahead and staying ahead of the evolving cyber threats. This thesis evaluates two 
different hypotheses. First, with the “lanes in the road” not clearly defined for 
cybersecurity, it is hypothesized there are unneeded overlaps in resources and gaps in 
responsibilities. These overlaps can cause confusion leading to expanding existing gaps 
in responsibilities or creating new gaps. The second hypothesis is that in order to reduce 
this confusion, the lead agency for maintaining national cybersecurity should be DHS, 
and the lead agency for investigating cyber-attacks should be FBI. This would mean that 
DHS would be responsible for securing government networks, making standard 
cybersecurity requirements for public and private networks, and actively perusing 
collaboration across all public and private networks for increased resilience and support. 
The FBI would be responsible for investigating and determining the who, what, where, 
when, why, and how after and during a cyber-attack. 

E. RESEARCH DESIGN 

This thesis has four main objectives: (1) apply a policy and legislative analysis to 
examine the evolution of cybersecurity policies, in order to determine the current 
cybersecurity role for DHS; (2) provide an overview of the evolution and current 
cybersecurity missions for the Federal Bureau of Investigation (FBI), National Security 
Agency (NSA), Department of Defense (DOD), and the Director of National Intelligence 

Christopher J. Castelli, “DHS Official Downplays Potential for Sony Hacking to Spur Cybersecurity 
Changes," Inside Cybersecurity, December 16, 2014, http;//libproxy.nps.edu/login? 
url=http://search.proquest.com/docview/1636659052?accountid= 12702. 
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(DNI); (3) analyze the Sony Pictures Entertainment cyber-attack; and (4) determine the 
gaps in the current DHS cybersecurity role and identify ways to mitigate the weaknesses. 

The first objective is met by critically analyzing the policies from the White 
House and DHS along with laws from Congress. The analysis works chronologically 
from the past to present, and provides historical background and justification. Once the 
evolution of cybersecurity for DHS has been established the current mission is evaluated 
for requirements and how DHS fulfills those requirements. 

The second objective is met by providing background information for each entity 
from when they were established to their current cybersecurity mission. This is 
accomplished by evaluating the directives and laws that apply to each entity. 

The third objective is met by analyzing the Sony cyber-attack, looking at before it 
occurred, the lead up, followed by the actual attack, and finishing with the aftermath 
including the investigation. The investigation is evaluated to determine if it was 
successful and if so why, and to determine any shortcomings after the attack. 

The fourth objective looks at those gaps determined in the previous three 
objectives highlighting them and establishes recommendations to either close the gap 
completely or mitigate the issue to narrow the gap. 

F. CHAPTER OVERVIEW 

Chapter II analyzes the evolution of cybersecurity within the United States 
government, primarily focusing on DHS’s portion of cybersecurity once it is established 
in 2001. The next section examines the current cyber security mission for DHS and 
specifically for the Secret Service under DHS. 

Chapter III provides a description of the other three national agencies that also 
have a cybersecurity mission. An overview of the evolution and current mission is 
provided for the FBI, NSA/DOD, and DNI. 

Chapter IV discusses the Sony Pictures Entertainment cyber-attack conducted in 
November 2014. The timeframe leading up to the attack, the actual attack, and the 
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aftermath are discussed. The response and investigation is analyzed to determine that it 
was both successful and a failure. 

Chapter V provides a conclusion, policy recommendations, and identifies future 
research that is needed to properly identify the “lanes in the road” for cybersecurity. 
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II. DHS CYBERSECURITY EVOLUTION AND CURRENT 

MISSION 


Chapter II provides an overview of the evolution of cybersecurity policy in the 
United States, specifically for DHS. DHS’s current cybersecurity mission is to ensure a 
secure computer system for the government, and to promote coordination between public 
and private entities, and this chapter will consider how well that mission has been 
accomplished. Additionally, the U.S. Secret Service’s mission evolution and current 
mission is examined. 

A. EVOLUTION OF CYBERSECURITY POLICIES 

Cybersecurity policies have been expanding and shifting for over two decades. 
The first governmental policy was seen in January 1988, with the “Computer Security 
Act of 1987” that established government-wide computer security a national priority. The 
act also provided a means to establish minimal security practices for computers.The 
next major step forward for cybersecurity was in July 1990, when the “National Security 
Directive (NSD) 42: National Policy for the Security of National Security 
Telecommunications and Information System” was published. NSD-42 established the 
National Security Telecommunications and Information Systems Security Committee, 
now the Committee on National Security Systems (CNSS). CNSS falls under the 
President’s Critical Infrastructure Protection Board, and Provides advice and guidance for 
the President, executive department, and other government agencies for system 
security.^’ 

In May 1998, the next relevant cybersecurity directive was established, the 
“Presidential Decision Directive/NSC-63 (PDD/NSC-63): Critical Infrastructure 
Protection.” PDD/NSC-63 sets the national goal to protect the country’s critical 
infrastructure from both physical attacks and cyber-attacks by 2003. The goal was to 

76 Computer Security Act of 1987, Pub. L. No. 100-235 (1988). 

77 White House, National Policy for the Security of National Security Telecommunications and 
Information System, National Security Directive 42, Washington, DC, 1990, 
http://fas.org/irp/offdocs/nsd/nsd42.pdf. 
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prevent attacks, but if an attack was successful then the disturbance to the infrastructures 
services must be “brief, infrequent, manageable, geographically isolated, and minimally 
detrimental to the welfare of the United States.” The devastating terrorist attacks on 
September 11, 2001, caused widespread support for reform to prevent terrorism. Eleven 
days after the attacks on September 22, 2001, the Office of Homeland Security was 
created in the White House. The purpose of the office was to oversee and coordinate “a 
comprehensive national strategy to safeguard the country against terrorism and respond 

70 

to any future attacks.” 

Another response to the 9/11 attacks was Congress passing Public Law 107-56 in 
October 2001, titled “The Uniting and Strengthening America by Providing Appropriate 
Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001.”^° 
This was better known as the Patriot Act. This increased the authority and capacity of a 
variety of agencies in order to more efficiently counter terrorism. It also expanded the 
authority and capabilities of those agencies involved in cyber security. 

In November 2002, after the Office of Homeland Security had operated as part of 
the White House for just over a year, the “Homeland Security Act of 2002” was passed. 
The Homeland Security Act formally made the Department of Homeland Security (DHS) 
a stand-alone, cabinet-level department. The DHS officially opened its doors on March 1, 
2003 .^^ 

In February 2003, “Executive Order (E.O.) 13286: Amendment of Executive 
Orders, and Other Actions, in Connection with the Transfer of Certain Functions to the 
Secretary of Homeland Security” was signed. E.O. 13286 designated the Secretary of 
Homeland Security as the Executive Agent of the National Communication System 
Committee of Principals. This placed the Secretary in charge of those who owned or 

White House, Critical Infrastructure Protection, Presidential Decision Directive/NSC-63, 
Washington, DC, 1998, http://fas.org/irp/offdocs/pdd/pdd-63.htm. 

Creation of the Department of Homeland Security, U.S. Department of Homeland Security, 
modified October 2014, http://www.dhs.gov/creation-department-homeland-security. 

Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and 
Obstruct Terrorism (USA PATRIOT Act) Act of2001, Pub. L. No. 107-56, 115 Stat. 272 (2001). 

Creation of the Department of Homeland Security, U.S. Department of Homeland Security. 
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leased telecommunication assets that are part of the National Communication System or 
has importance to national security. This was the start of DHS taking a major role in 
cyber security. 

Later that same year in December 2003, “Homeland Security Presidential 
Directive (HSPD) No. 7: Critical Infrastructure Identification, Prioritization, and 
Protection,” assigned the Secretary of Homeland Security the responsibility for critical 
infrastructure protection coordination and designated the DHS the lead agency for the 

oo 

information and telecommunications sectors. This caused DHS, which had been 
established to safeguard the nation against terrorism, to see its role expanding to include 
almost anything related to national security, which includes cybersecurity. HSPD-7 also 
included that the privacy of American citizens will not be infringed while enhancing 
cybersecurity. 

In January 2008, the “National Security Presidential Directive (NSPD) 54” and 

84 

“Homeland Security Presidential Directive (HSPD) 23,” both classified, were signed. 
The Comprehensive National Cyber Security Initiative (CNCI) was launched, under the 
directions of NSPD-54 and HSPD-23.*^ CNCI lists three main goals. First, “establish a 
front line of defense” by increasing cybersecurity situational awareness across the entire 
nation.Second, “defend against the full spectrum of threats by enhancing U.S. 
counterintelligence capabilities.” Third, “strengthen the future cybersecurity 


Exec. Order No. 13286, http;//fas.org/irp/offdocs/eo/eo-13286.htm. 

White House, Critical Infrastructure Identification, Prioritization, and Protection, Homeland 
Security Presidential Directive No. 7, Washing, DC, 2003, 

https://www.whitehouse.gOv/sites/default/files/omb/memoranda/fy04/m-04-15.pdf. 

Executive Office of the President of the United States, The Comprehensive National Cybersecurity 
Initiative, accessed 21 August 2015, https://www.whitehouse.gov/issues/foreign- 
policy/cybersecurity/national-initiative. 
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environment” by advertising and supporting cyber education. CNCI also defined DHS 

OQ 

as the head liaison between the government and the private sector for cybersecurity. 

In October 2011, the President signed “E.O. 13587: Structural Reforms to 
Improve the Security of Classified Networks and the Responsible Sharing and 
Safeguarding of Classified Information.” This called for two simultaneous goals, to 
responsibly share and safeguard classified information while protecting privacy and civil 
liberties. This E.O. applies to those agencies that either utilize classified information or 
own a classified network.^° “E.O. 13618: Assignment of National Security and 
Emergency Preparedness Communications Eunctions,” was signed in July 2012. E.O. 
13618 addressed the government’s requirement to be able to communicate during a 
national security crisis or emergency situation. The National Communications System is 
dissolved and DHS is required to establish a program office to assist in assigning specific 
responsibilities to federal government entities for communications functions.^^ 

In Eebruary 2013, “Presidential Policy Directive (PPD) 21: Critical Infrastructure 
Security and Resilience” was signed. The purpose of PPD-21 is to advance the “a 
national unity of effort to strengthen and maintain secure, functioning, and resilient 
critical infrastructure.” The national systems for “prevention, protection, mitigation, 
response, and recovery” must all be continually updated. PPD-21 assigns responsibility 
at the federal, state, local, tribal, territorial, and public and private owners for critical 
infrastructure security and resilience.Securing critical infrastructure includes both the 
physical and cyber aspects of security. The Secretary of Homeland Security is required to 
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“provide strategic guidance, promote a national unity of effort, and coordinate the overall 
Federal effort to promote the security and resilience of the Nation’s critical 
infrastructure.”^^ In order to carry out these requirements, additional roles and 
responsibilities are added under the Secretary of Homeland Security. To protect critical 
infrastructure DHS must analyze capabilities, and challenges to be able to identify 
potential vulnerable points that could be exploited by our adversaries.^^ 

PPD-21 identifies eight specific things that DHS must do in order to ensure the 
protection of critical infrastructure. First, it must prioritize the current threats, both 
physical and cyber, and coordinate with other federal and private entities to mitigate 
those threats. Second, DHS must maintain situational awareness centers for potential 
threats to critical infrastructure. Third, the information gained through the situational 
awareness centers and other intelligence must be shared with the appropriate federal or 
private entity to strengthen their resilience. Fourth, DHS must identify and assess 

go 

vulnerabilities then coordinate with government and private agencies to mitigate them. 
Fifth, DHS must act as the central coordinating effort for the federal government’s 
response to cyber or physical attacks. Sixth, DHS must support the Attorney General to 
investigate and prosecute any threats or attacks.Seventh, DHS must coordinate with the 
federal and private agencies that own or operate critical infrastructures in order to map 
and analyze all aspects of the infrastructure. Eighth, DHS is to submit a report annually 
on the status of critical infrastructure. In addition to these requirements, PPD-21 also 
expands the research and development (R&D) requirements, and a plan will be released 
every four years to direct the R&D initiatives.This directive, which supersedes HSPD- 
7, ensures that DHS is the central entity for critical infrastructure protection and the main 
focal point for private industry to work with. 
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“E.O. 13636: Improving Critical Infrastructure Cybersecurity” was signed in 
February 2013. E.O. 13636 addresses cybersecurity in four main ways. First, it expands a 
DHS program focused on sharing techniques and information that is important to critical 
infrastructure among government agencies and the private sector. Second, a method 
was established for determining which infrastructures counted as critical, to determine 
which ones needed increased protection. Third, the “National Institute of Standards 
and Technology” was required to establish a list of effective cybersecurity techniques for 
critical infrastructure protection.Fourth, the agencies that had regulation authority 
were required to evaluate the level of current requirements and their ability to address 
risks. 

In February 2015, “E.O. 13691: Encouraging Private-Sector Cybersecurity 
Collaboration” was signed. The goal is to establish new “information sharing and 
analysis organizations to serve as focal points for cybersecurity information sharing as 
collaboration within the private sector and between the private sector and 
government.”Part of the new collaboration between the private sector and government 
is DHS was granted the power to share classified intelligence with the private sector for 
advancing cybersecurity efforts. Eater in February 2015, a Presidential Memorandum 
was signed titled “Establishment of the Cyber Threat Intelligence Integration Center 
(CTIIC).” CTIIC connects the dots at the national level for foreign cyber threats, and 
provides that intelligence to the appropriate agencies.^08 They also provide threat analysis 
briefs to policymakers.This is critical to cybersecurity in that it can provide a heads up 
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to a cyber-attack allowing a response that can prevent an attack from being successful 
instead of responding after an attack has happened. 

B. CURRENT DHS CYBERSECURITY MISSION 

DHS is the lead agency for national cybersecurity concerns, and has divided its 
cybersecurity efforts between two offices: the Cyber Security Division (CSD) and the 
Office of Cybersecurity and Communications (CS&C). These two offices work towards 
different objectives but both are furthering the national cybersecurity interests, through 
strengthening the coordination between private and public cybersecurity and expanding 
the education level in regards to cybersecurity and cyber threats. 

CSD was formed in 2011, under the Homeland Security Advanced Research 
Projects Agency. CSD’s mission is to: 

Contribute to enhancing the security and resilience of the nation’s critical 
information infrastructure and the Internet by: developing and delivering 
new technologies, tools and techniques to enable DHS and the U.S. to 
defend, mitigate and secure current and future systems, networks and 
infrastructure against cyber-attacks; conduct and support technology 
transition, and lead and coordinate research and development (R&D) 
among the R&D community which includes department customers, 
government agencies, the private sector and international partners. 

CSD furthers these three mission areas by coordination and cooperation with 
other agencies at the federal, state, municipal levels, private sector companies, and the 
research community.^^^ This allows them to gather the advancements of the cybersecurity 
initiatives and be able to share that information across the board, to further not only the 
U.S. government’s cybersecurity but also effect change in the private sector for 
increasing cybersecurity for U.S. interests. 

CS&C was created in 2006, by Congress under the Assistant Secretary for 
Cybersecurity and Communications. CS&C is “responsible for enhancing the security. 


Cyber Security Division, U.S. Department of Homeland Security, modified August 2015, 
http://www.dhs.gov/science-and-technology/cyber-security-division. 

Ill Ibid. 


23 



112 

resilience, and reliability of the Nation’s cyber and communications infrastructure.” 
The goal is to prevent or at least minimize the disruption to critical information 
infrastructure. CS&C is not only looking at protecting the federal domain but also the 
private sector. Their mission is carried out through five divisions: The Office of 
Emergency Communications (OEC), The National Cybersecurity and Communications 
Integration Center (NCCIC), Stakeholder Engagement and Cyber Infrastructure 
Resilience (SECIR), Eederal Network Resilience (ENR), and Network Security 
Deployment. 

OEC supports and promotes the communications used by the government and 
first responders during emergency situations. They provide “training, coordination, tools, 
and guidance to help its federal, state, local, tribal, territorial and industry partners 
develop their emergency communications capabilities.” NCCIC is a “24x7 cyber 
situational awareness, incident response, and management center.”^They share 
information to the public and private sectors to establish a greater understanding of 
cybersecurity vulnerabilities, actions, and responses. 

SECIR is the focus for engagement and coordination of national cybersecurity 
initiatives for both the government and the private sector. They are designed to streamline 
the coordination with external partners, while simultaneously gathering expertise on 
cybersecurity.ENR is focused on risk management for cybersecurity. They develop 
innovative approaches to drive change by developing metrics that have a measurable 
impact. Network Security Deployment was established to be the cybersecurity 


Office of Cybersecurity and Communications, U.S. Department of Homeland Security, modified 
July 2015, http://www.dhs.gov/office-cybersecurity-and-communications. 

Office of Emergency Communications, U.S. Department of Homeland Security, modified 
September 23, 2015, http://www.dhs.gov/office-emergency-communications. 

About the National Cybersecurity and Communications Integration Center, U.S. Department of 
Homeland Security, modified September 22, 2015, http://www.dhs.gov/national-cybersecurity- 
communications-integration-center. 

Ibid. 

Stakeholder Engagement and Cyber Infrastructure Resilience, U.S. Department of Homeland 
Security, modified September 23, 2015, http://www.dhs.gov/stakeholder-engagement-and-cyber- 
infrastructure-resilience. 

Eederal Network Resilience, U.S. Department of Homeland Security, modified September 22, 
2015, http://www.dhs.gov/federal-network-resilience. 
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engineering and acquisition center of excellence. They operate the National 

Cybersecurity Protection System, which “provides intrusion detection, advanced 

analytics, information sharing, and intrusion prevention capabilities that combat and 

118 

mitigate cyber threats to the Federal Executive Branch information and networks.” 

The divisions of CS&C all fill a different part of the cybersecurity mission and 
provide a more focused look at their piece. The breakdown of responsibility within DHS 
is established in order to provide the best structure for furthering the national 
cybersecurity interests. The link between the government and the private sector is seen in 
almost every aspect of cybersecurity. 

C. U.S. SECRET SERVICE CYBER MISSION 

There are other agencies under DHS that contribute to national cybersecurity, 
such as U.S. Immigrations and Customs Enforcement, and the United States Secret 
Service (USSS). This thesis will only evaluate the Secret Services cyber mission, due to 
their mission focusing on cyber investigation. Additionally, they have a direct link to the 
Sony Pictures Entertainment cyber-attack that is discussed in Chapter IV. 

In 1865, the Department of the Treasury formed the Secret Service Division 
(SSD) to battle counterfeiting currency.In 1894, President Grover Cleveland 
requested that SSD provide him part-time protection, sSD continued to provide part- 
time protection until President McKinley was assassinated in 1901. After that Congress 
asked SSD to protect the president. It was not until 1906 that Congress funded the 
protection of the president. 


Network Security Deployment, U.S. Department of Homeland Security, modified September 22, 
2015, http://www.dhs.gov/network-security-deployment. 

USSS History, U.S. Secret Service, accessed April 15, 2016, 
http://www.secretservice.gov/about/history/events/. 

^^20 Shawn Reese, The U.S. Secret Service: History and Missions (CRS Report No. RL34603) 
(Washington, DC: Congressional Research Service, 2014), 7. 
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In 1943, the SSD was renamed the United States Secret Serviced22 In 1986, 
Congress passed the “Computer Fraud and Abuse Act of 1986” that authorized the Secret 
Service jurisdiction alongside the FBI for investigating identity theft along with fraud and 
related activity committed against protected computersd^s Investigation jurisdiction 
being jointly provided to the Secret Service and the FBI allows them to investigate any 
intrusion on a protected computer. The cybersecurity law explains a protected computer 
system as “protects federal computers, bank computers and computers connected to the 

Internet.” 124 


In 1995, the Secret Service established their first Electronic Crimes Task Force 
(ECTF) in New York. The purpose of the ECTE was “prevention, detection, mitigation, 
and aggressive investigation of attacks on the nation’s financial and critical 
infrastructures.” 125 in 2001, the Patriot Act required the USSS to expand the ECTE. 126 
There are now thirty-one different locations for the ECTE. The ECTE’s role has 
expanded as well; it now provides support and resources to investigations that meet 
certain criteria. Those criteria are “significant economic or community impact; 
participation of organized criminal groups involving multiple districts or transnational 
organizations; or use of schemes involving new technology.” 122 The ECTE was expanded 
for the purpose of “preventing, detecting, and investigating various forms of electronic 
crimes.” 128 The expansion of the ECTE made the Secret Service the primary agency for 


122 Records of the U.S. Secret Service [USSS]: Record Group 87, 1863-1988, National Archives and 
Records Administration, accessed April 15, 2016, http://www.archives.gov/research/guide-fed- 
records/groups/087.html#87.1. 

123 U.S. Department of Justice, Prosecuting Computer Crimes: Computer Crime and Intellectual 
Property Section Criminal Division (Washington, DC: OLE, 2015) 
http://www.justice.gOv/sites/default/files/criminal-ccips/legacy/2015/01/14/ccmanual.pdf. 

124 Charles Doyle, Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and 
Related Federal Criminal Laws (CRS Report No. R42659) (Washington, DC: Congressional Research 
Service, 2010), 2. 

125 U.S. Secret Service Electronic Crimes Task Eorces, U.S. Department of Homeland Security, 
accessed April 15, 2016, 

https://www.dhs.gov/sites/default/files/publications/USSS%20Electronic%20Crimes%20Task%20Eorce.pd 
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126 USA PATRIOT Act, Pub. L. No. 107-56, 115 Stat. 272 (2001). 

122 Electronic Crimes Task Eorces, U.S. Department of Homeland Security. 

128 USA PATRIOT Act, Pub. L. No. 107-56, 115 Stat. 272 (2001). 
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investigating cyber-attacks. In 2002, the USSS was moved from the Department of the 
Treasury to the new DHS. Under Subtitle C of the Homeland Security Act of 2002, the 
functions, personnel, assets, and obligations of the USSS were to remain the same and 
that the USSS would continue to be a distinct entity. 

The USSS has shown itself to be a leader in cybersecurity and has a vested interest 
in protecting the countries critical infrastructure, financial infrastructure, and government 
cyberspace. In order to accomplish this, the USSS has adopted a six pronged approach: 

• Providing advanced computer forensics and network intrusion 
investigation training to enhance the skills of special agents through the 
Electronic Crimes Special Agent Program (ECSAP) 

• Establishing a Computer Emergency Response Team in coordination with 
Carnegie Mellon University 

• Maximizing partnerships with international law enforcement counterparts 
through overseas field offices and by forward deploying ECSAP agents to 
international working groups 

• Providing training, examination services and research into cutting edge 
processes to extract potential evidence from mobile devices to include 
cellular phones, skimming devices and GPS units 

• Providing computer-based training to state and local law enforcement 
partners to enhance their investigative skills at the National Computer 
Eorensics Institute 

• Collaborating through an established network of 46 Einancial Crimes Task 
Eorces and 39 Electronic Crimes Task Eorcesi^o 

This chapter covered the evolution of cybersecurity policy changes in the United 
States. DHS was specifically identified for their role in national cybersecurity. DHS 
works to ensure network security across the entire nation, from protecting government 
computers to helping the private sector protect itself. USSS, as a part of DHS, has a 
major role to play in cybersecurity, and is currently the lead agency for investigating 
cyber-attacks. 


129 Homeland Security Act of 2002, Pub. L. No. 107-296 (2002). 
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III. FBI, NSA/DOD, DNI CYBERSECURITY OVERVIEW 


Chapter II provided an overview of the evolution of cybersecurity policy in the 
United States, looking specifically at DHS. DHS’s current cybersecurity mission was 
identified and discussed. DHS works to ensure a secure computer network for the 
government, and promotes coordination between public and private entities. The 
evolution of USSS’s cybersecurity mission and its current mission within DHS was 
identified. 

Chapter III describes the evolution and current cybersecurity missions for the FBI, 
NSA/DOD, and DNI. These three agencies were chosen for study due to their national 
level cybersecurity missions, and the fact that they have broad cybersecurity missions 
comparable to DHS. Analyzing these entities will provide a more rounded analysis of 
DHS’s cybersecurity mission, by understanding how other national level agencies 
developed their cybersecurity mission and how they each interact with the whole. 

A. FEDERAL BUREAU OF INVESTIGATION 

In 1905, Charles Bonaparte was appointed the Attorney General by President 
Theodore Roosevelt.i^i The Department of Justice (DOJ) frequently utilized USSS 
agents to conduct investigations. This frustrated Bonaparte because Secret Service 
investigations were expensive, and its agents would report to the Chief of the Secret 
Service instead of to him.^32 Qj^ 27 , 1908, Congress passed a law forbidding the 
DOJ from utilizing USSS agents for investigations. ^33 Later that same year Bonaparte 
established a small group of special agents. The group had no name, but would eventually 
grow to become the FBI.134 On July 26, 1908, the special agents were ordered to report to 
Chief Examiner Stanley W. Finch, and just under a year later on March 16, 1909, 


^^31 A Brief History of the FBI, Federal Bureau of Investigation, accessed May 13, 2016, 
https://www.fbi.gov/about-us/history/brief-history. 

132 Ibid. 
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Attorney General George Wickersham named the group of special agents the Bureau of 

Investigation. 135 

The FBI has authority under the “Computer Fraud and Abuse Act of 1986,” to 
investigate crimes committed against federally protected computers.Protected 
computers are those used by the government or financial institutions and those computers 
that could affect the economy. 13”^ In 2002, the FBI created the Cyber Division to “combat 
cyber-based terrorism, hostile foreign intelligence operations conducted over the Internet, 
and cybercrime by applying the highest level of technical capability and investigative 

1 TO 

expertise.” The FBI initiated a cyber-specific agent training program in order to ensure 
it was prepared to operate in cyberspace. 

In January 2008, the “Comprehensive National Cyber Security Initiative” (CNCI) 
was launched. The CNCI supports mandates issued in the “National Security Presidential 
Directive 54” and “Homeland Security Presidential Directive 23,” both which are 
classified. To increase the government’s cybersecurity operations, CNCI required an 
investment increase for cybersecurity monitoring, training, and information-sharing for 
the government and the private sector. As part of the CNCI the FBI established the 
National Cyber Investigative Joint Task Force (NCIJTF). The NCIJTF is the nation’s 
central hub for the coordination of cyber investigations.The NCIJTF expands 
coordination between the Intelligence Community and federal law enforcement against 

• Cyber terrorists exploiting vulnerabilities in critical infrastructure control 
systems; 

• Nation-state theft of intellectual property and trade secrets; 


135 Brief History of the FBI, FBI. 

136 u.S. Department of Justice, Prosecuting Computer Crimes, 158. 

137 Ibid. 

138 Xen Years After: The FBI Since 9/1 TCyber, Federal Bureau of Investigation, accessed May 13, 
2016, https://www.fbi.gov/about-us/ten-years-after-the-fbi-since-9-I I/just-the-facts-I/cyber. 

139 Ibid. 

14® Cyber Task Forces, Federal Bureau of Investigation, accessed May 13, 2016, 
https://www.fbi.gov/about-us/investigate/cyber/cyber-task-forces-buiIding-aIIiances-to-improve-the- 
nations-cybersecurity-1. 
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• Financially-motivated criminals stealing money or identities or 
committing cyber extortion; 

• Hacktivists illegally targeting businesses and government services; 

• Insiders conducting theft and sabotaged^i 

The FBI has also established Cyber Task Forces (CTF) that focus on 
cybersecurity threats, in all 56 of its field offices. 1^2 The CTF coordinates at the local and 
national level to try to de-conflict any issues. The mission of each CTF is: 

In support of the national effort to counter threats posed by terrorist, 
nation-state, and criminal cyber actors, each CTF synchronizes domestic 
cyber threat investigations in the local community through information 
sharing, incident response, and joint enforcement and intelligence 

actions. 143 

The FBI is also expanding its cyber capabilities in three other ways. The first is 
the National Cyber-Forensics & Training Alliance (NCFTA). NCFTA was established in 
1997, and enables “law enforcement, private industry, and academia to build and share 
resources, strategic information, threat intelligence to identify, stop emerging cyber 
threats and mitigate existing ones.” 144 iGuardian is the second method the FBI is utilizing 
to increase cybersecurity. iGuardian is “a secure information portal allowing industry- 
based, individual partners to report cyber intrusion incidents in real time.”i45 The third 
method is InfraGard. InfraGard is a partnership with the FBI and the private sector, that 
encompasses businesses, academia, law enforcement agencies, and other entities working 
together to prevent attacks against the United States. 146 


141 Cyber Task Forces, FBI. 

142 Ibid. 
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144 National Cyber-Forensics & Training Alliance, Federal Bureau of Investigation, accessed May 13, 
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B. NATIONAL SECURITY AGENCY AND DEPARTMENT OF DEFENSE 


The National Security Agency (NSA) and the Department of Defense (DOD) both 
play an integral part to U.S. cybersecurity. In past conflicts, our nation’s adversaries were 
able to be defined by national boundaries.Today, cyberspace has abolished those 
boundaries, with the entire world operating and relying on the same interconnected 
networks, and the NSA and DOD are critical to protecting those networks. 

I. National Security Agency 

On December 29, 1952, the “National Security Council Intelligence Directive 
(NSCID) No. 9: Communications Intelligence (COMINT)” was signed by President 
Truman. 149 NSCID-9 established the NSA under the authority of the Secretary of 
Defense (SECDEF).i50 NSCID-9 also defines NSA’s mission as, “provide an effective, 
unified organization and control of the communications intelligence activities of the 
United Stated conducted against foreign governments, and to provide for integrated 
operational policies and procedures pertaining thereto.”The next major change to 
NSA’s mission was in December 1971, SECDEF Eaird published “DOD Directive S- 
5100.20,” to define the “authorities, functions, and responsibilities of the NSA.” 1^2 dOD 
Directive S-5100.20 broadened NSA’s COMINT mission. NSA’s mission was expanded 
to include all Signals Intelligence (SIGINT). SIGINT was defined as to include 
COMINT, Electronic Intelligence (EEINT), and Telemetry Intelligence (TEEINT).i53 
This expanding of NSA’s responsibilities now made them in charge of intelligence 
collection for all electronic methods. 


^^47 Cyber, National Security Agency, modified May 3, 2016, https://www.nsa.gov/what-we-do/cyber/. 
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NSA’s mission can be broken down into two areas: SIGINT, and Information 
Assuranced^^ SIGINT is comprised of collecting, processing, and disseminating 
intelligence from foreign entitiesd^^ SIGINT for NSA includes collecting information 
from foreign communications, radars, and any other electronic system. The information 
collected is generally in foreign languages, technical documents, encoded, or otherwise 
safeguarded. Once NSA collects the information they need to translate it into usable 
intelligence. This needs to happen as close to real time as possible for NSA’s customers 
to utilize the intelligence. NSA provides intelligence to the White House, executive 
branch agencies, DOD, and U.S. allies.1^6 NSA’s second mission is, preventing 
unauthorized access to the government’s networks, which is Information Assurance. NSA 
protects national security information and systems from our advisories.The main 
objective of the Information Assurance mission is preventing advisories from accessing, 
viewing, stealing, or changing any part of the information system.i^s NSA’s specific 
cyber mission is to use both SIGINT and Information Assurance to identify, and prevent 
any cyber threat to the government networks. 1^9 

2. Department of Defense 

In 1775, the American Revolution led to the creation of the Army, Navy, and 
Marine Corps. Fourteen years later in 1789 the War Department was established, with the 
Department of the Navy being created in 1798 . 1^0 it was not until 1947, that the different 
services where united into the same department, called the National Military 
Establishment. Also in 1947, the War Department was renamed the Department of the 
Army, and the Department of the Air Force was established. In 1949, the three service 

154 Frequently Asked Questions, National Security Agency, modified May 3, 2016, 
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secretaries lost their cabinet level status and the National Military Establishment was then 
renamed the Department of Defensed^^ xhe overarching mission for DOD is to “provide 
the military forces needed to deter war and to protect the security of our country.”1^3 

In June 2009, the SECDEF directed Commander U.S. Strategic Command to 
create the U.S. Cyber Command (USCYBERCOM), which became operational in 
October 2010. The mission for USCYBERCOM is: 

USCYBERCOM plans, coordinates, integrates, synchronizes and conducts 
activities to: direct the operations and defense of specified Department of 
Defense information networks and; prepare to, and when directed, conduct 
full spectrum military cyberspace operations in order to enable actions in 
all domains, ensure US/Allied freedom of action in cyberspace and deny 

the same to our adversaries. 

USCYBERCOM is a subordinate of U.S. Strategic Command as a sub-unified 
combatant command.It is comprised of five service elements; the Army, Navy, 
Marine Corps, and Air Force; each have their own cyber command that is a subordinate 
of USCYBERCOM. 166 xhe Coast Guard also has a cyber command that is a subordinate 
of DHS but works directly with USCYBERCOM. 167 USCYBERCOM has also 
established Cyber Mission Force (CMF) in order to fulfil the three missions and five 
goals outlined in the DOD Cyber Strategy. 168 Admiral Michael Rogers, Commander 
USCYBERCOM, says that the formation of CMFs is designed to turn “strategy and plans 
into operational outcomes.”!69 Approximately half of the desired CMF teams have been 
established with the goal being 133 teams, and a total of 6,200 personnel.170 The teams 
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that have been established, are guarding networks, and have helped “Combatant 
Commanders deny freedom of maneuver to our adversaries in cyberspace.”The CMFs 
are being developed to carry out defensive and offensive cyberspace operations. 

In April 2015, the DOD Cyber Strategy was published, identifying three 
cybersecurity missions for DOD. First, “DOD must defend its own networks, systems, 
and information.” 1^3 Second, “DOD must be prepared to defend the United States and its 
interests against cyber-attacks of significant consequence.”Third, “DOD must be able 
to provide integrated cyber capabilities to support military operations and contingency 
plans.”1^3 These three missions are followed up with five strategic goals in order to fulfil 
the missions. The five strategic goals are: 

1. Build and maintain ready forces and capabilities to conduct cyberspace 
operations; 

2. Defend the DOD information network, secure DOD data, and mitigate 
risks to DOD missions; 

3. Be prepared to defend the U.S. homeland and U.S. vital interests from 
disruptive or destructive cyber-attacks of significant consequence; 

4. Build and maintain viable cyber operations and plan to use those options 
to control conflict escalation and to shape the conflict environment at all 
stages; 

5. Build and maintain robust international alliances and partnerships to deter 
shared threats and increase international security and stability. 

In 2010, SECDEF, with the President’s approval, made the Director of NSA the 
Commander USCYBERCOM in a dual-hatted role.i^^ This means that the two agencies 
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will work together and coordinate their efforts for a greater outcomed^^ Even with the 
same leader the two entities have very different roles to play. NSA conducts SIGINT and 
Information Assurance while USCYBERCOM operates under U.S. Code Title 10 and 
Title 32.1^9 USCYBERCOM is a consumer of the SIGINT and Information Assurance 
that NSA provides. The two missions from NSA are vital to the Network Warfare that 
USCYBERCOM trains for.i^o Both NSA and USCYBERCOM play important roles for 
national cybersecurity. 

C. DIRECTOR OF NATIONAL INTELLIGENCE 

The Director of National Intelligence (DNI) was created under the “Intelligence 
Reform and Terrorism Prevention Act (IRTPA) of 2004” that was signed on December 
17, 2004.181 On April 21, 2005, the first DNI, John D. Negroponte, was sworn in.182 The 
main mission for the DNI is to integrate the Intelligence Community (IC).i83 The IC is 
comprised of 17 different independent agencies within the Executive Branch that 
collaborate together under the DNI to provide the intelligence necessary for 

operations. 184 

In Eebruary 2013, “PPD-2I: Critical Infrastructure Security and Resilience” was 
signed. PPD-21 directed the IC, under the direction of the DNI, to provide intelligence 
pertaining to threats against critical infrastructure, to the appropriate entities. 185 
Additionally, PPD-21 authorized the DNI to oversee safeguarding of national security 

systems. 186 
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In February 2015, the President directed the DNI to create the Cyber Threat 
Intelligence Integration Center (CTIIC)d^^ CTIIC connects the dots for national 
intelligence that deals with foreign cyber threats, and provides that to other departments 
and agencies along with policymakersd^^ CTIIC provides its intelligence primarily to 
NCCIC, NCIJTF, and USCYBERCOM to help them fulfil their missionsd^^ CTIIC does 
not collect intelligence, or attempt to replicate other functions currently performed by 
other agencies. 190 Since they do not collect information the data flow is only in one 
direction; from CTIIC to other government agencies. There is no feedback loop 
established for CTIIC to determine if they are providing what the agencies need. 

The FBI, NSA/DOD, DNI, along with DHS ensure that our country is safe from 
cyber threats and work to further the level of cybersecurity, cyber education, and 
coordination across public and private entities. This chapter discussed the evolving 
missions for the FBI, NSA/DOD, and DNI to enhance the cybersecurity for the nation. 
An understanding of the other national level cybersecurity entities is important to see 
what each provided and how that all fits together to fulfill the national cybersecurity 
objectives. 
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IV. SONY PICTURES ENTERTAINMENT CYBER-ATTACK 


Chapter III discussed the evolving mission and the current responsibilities for the 
FBI, NSA/DOD, and DNI cybersecurity. These entities plus DHS make up the national 
level cybersecurity effort. Chapter IV looks at the Sony Pictures Entertainment cyber¬ 
attack. The first section provides background information leading up to the attack, and 
the actual attack is discussed in the following section, along with the aftermath and 
subsequent investigation. 

A. BEFORE THE CYBER-ATTACK 

The Sony cyber-attack involved the movie The Interview. The Interview is a 
comedy, where two reporters (played by Seth Rogen and James Franco) are recruited by 
the CIA to kill the Democratic People’s Republic of Korea’s (North Korea) dictator Kim 
Jong-un. In the original script there was a fictional dictator instead of Kim but it was later 
changed before filming. North Korea was regarded as fair game in Hollywood, unlike 
China since China has a large film market.*^^ In June 2014, the first trailer for the film 
was released. A couple days after the trailer release a North Korean government 
spokesman warned Sony that the release of The Interview would be seen as “the most 
blatant act of terrorism and war.” The spokesman then threatened a merciless counter¬ 
measure if the film was released. North Korea later filed official complaints with the 
White House and the United Nations. 

Sony was not prepared for the blowback they were to receive over The Interview. 
Doug Belgrad, a studio executive, told Sony’s CEO Michael Eynton that he was “doing 
homework on whether there is any precedent on depicting and/or killing a living leader 
on film.”^^^ Eynton consulted with “extremely knowledgeable experts” and was given no 
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indication of a possible cyber-attack/Bruce Bennett, an expert on North Korea for the 
Rand Corporation, reportedly did tell Lynton that a cyber-attack was possible, but that 
North Korea frequently makes empty threats, also advising him that there was probably 
nothing to fear/^^ 

Although many people involved with the film felt it was simply empty threats. 
North Korea had already been linked to numerous previous cyber-attacks. The country is 
believed to have “several thousand army hackers.” Prior to the Sony cyber-attack the 
most notable cyber-attack linked to North Korea is the DarkSeoul attack against The 
Republic of Korea (South Korea). On April 20, 2013, a coordinated cyber-attack was 
conducted that had destructive effects.The attack was disguised as the work of 
hacktivists but was determined to have been carried out by North Korea. The attack 
caused South Korea’s main three television stations (KBS, MBC, YTN) to be taken off 
the air, and ATMs, Internet and mobile banking services of the three main banks (Jeju, 
Nonghyup, Shinhan) to be frozen. 1^9 Approximately 45,000 computers between the 
television stations and banks had their operating systems removed and their hard drives 
erased.200 The investigation found that the main access point was a patch management 
software that was used. Once the attackers had access to the management software they 
could bypass the user level on the systems and operate at the administrator level.^oi The 
attackers used the updates from the management software to hide their malware. The 
attackers had access to the systems for over a month before the final attack. During that 
month the attacker gathered all the information available.^02 The outcome of the attack 
was over $700 million in damages and the potential for unknown damage with the 
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information that was stolen.^03 xhe fact that this previous attack had been linked to North 
Korea could have led Sony executives to give the threats more credibility. 

Actor Seth Rogen also received warnings about a possible cyber-attack. He 
sought out Rich Klein, whose consulting firm in Washington, D.C., advises Hollywood 
on geopolitical problems. Once Klein was able to read the script for The Interview he 
advised Rogen to expect blowback from North Korea “possibly in the form of an 
electronic assault.”^®^ Klein also felt that North Korea might conduct a cyber-attack 
against the studio to prevent the release of the film. Both of these warnings were 
passed onto Sony executives, but Sony denies having any knowledge or receiving any 
information on an imminent attack. 

B. THE CYBER-ATTACK 

On Monday November 24, 2014, at seven in the morning Sony Entertainment 
Pictures was the victim of a massive cyber-attack. When employees signed into their 
computers gunshots rang out from the speakers, and a picture of a skeleton appeared over 
the top two executive’s heads which were made to look like zombies. Figure 1 shows a 
screenshot of what the employees saw. 


303 Elkind, “Hack of the Century,” 75. 

204 Ibid., 76. 

205 Ibid. 


41 




Figure 1. Screenshot from Sony After the Cyber-Attack.^oe 


1. Cyber-attack Damage 

The attackers were able to take out approximately half of Sony’s global network. 
Everything was erased from 3,262 company computers, as well as 6,797 personal 
computers. Reportedly, 837 of Sony’s 1,555 servers were erased. Instead of just deleting 
information off the devices, the attackers had the data overwritten seven different times to 
ensure that the data could not be recovered. Before the data was destroyed, it was copied 
by the attackers. The last thing the attackers did was delete the operating system off all 
devices affected. Sony’s technology was set back decades, forcing the company to use 
fax machines, the postal service, and pay its employees by check for over a week, until it 


2*^6 Source: Peter Elkind, “Inside the Hack of the Century,” Fortune, July 2015, 67. 
Elkind, “Hack of the Century,” 66. 
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could recover from the attack. As a precaution Sony shut down most of their computer 
systems across the world.^os 

The data that was stolen was made public over the next three weeks, in nine 
different batches. The stolen data included unfinished movie scripts, email exchanges, 
salaries, and over 47,000 Social Security numbers. Additionally, five different films were 
released to piracy websites for free viewing. Four of those five films had not yet been 
released by Sony. The hackers took things further by making threats for a 9/11 style 
attack if The Interview was released. 

2. Media Coverage 

In the aftermath of the Sony cyber-attack the news media did exactly what it is 
trained to do during a crisis: it wrote and discussed it. The news covered everything from 
what was happening, to speculating about who did it. They also published some of the 
information that the hackers had stolen and then leaked online. There is no way of 
knowing if the leaked information would have gotten out to as large of an audience if the 
news had not covered it. Multiple different news agencies published the personal emails 
from Sony executives and lists of salaries, however drew the line at releasing medical 
records or Social Security numbers. 

By the middle of December Sony felt they needed to talk to an attorney about the 
stolen information. David Boies was hired and he warned over 40 different media 
organizations to stop using the stolen information or “they would be held ‘responsible for 
any damage or loss.”’^°^ Boies argued that the documents were protected under a variety 

710 

of U.S. and international laws since they were private, confidential, or trade secrets. 

Aaron Sorkin, a screenwriter for Sony, wrote an OP-ED for The New York Times 
that explains what the news media was doing during the aftermath of the Sony cyber- 
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211 

attack. He says that they are “giving material aid to criminals.” Sorkin feels that the 
American news outlets provided the hackers an outlet for the stolen information .212 xhe 
hackers did not have to do any work to ensure it would be seen by the masses; all they 
had to do was put it online and the news outlets would publish it and talk about it. The 
first release of private information was not done by the hackers but by the American 
news outlets. Sorkin writes he understands that stolen information is routinely used and 
sometimes should be published, such as the Pentagon Papers.213 There is nothing in the 
stolen Sony documents that even comes close to the level of public interest that the 
Pentagon Papers did. The co-editor in chief of the magazine Variety, decided to publish 
the leaked information because he felt it was newsworthy.214 Sorkin continues to say that 
every news outlet that published the information is “morally treasonous and spectacularly 
dishonorable.” He finishes his argument by saying that, “as demented and criminal as 
it is, at least the hackers are doing it for a cause. The press is doing it for a nickel. 

The FBI and Sony were attempting to contain the information that was stolen, and 
the media was thwarting that effort at every turn. The FBI and Sony took different 
approaches in an attempt to contain the stolen information. The FBI focused on people 
once they have accessed the stolen information by visiting people who had been linked to 
downloading a number of stolen files .212 Sony’s tactic was more focused on preventing 
the information from being accessed in the first place. Sony identified the websites that 
contained the stolen files for download, and then flooded those sites with random other 
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files.218 This was an attempt to hide the stolen files in thousands of other files, and slow 
the download speeds to deter people from accessing the information. 

C. AFTER THE CYBER-ATTACK 

Within a couple of hours after the attack the FBI was notified. A team from the 
FBI Los Angeles cyber-squad was sent to start an investigation. Sony also hired its own 
private forensic expert to investigate, Kevin Mandia. Four days after the attack the first 
of the stolen data was leaked to online file-sharing websites. The data consisted of five 
Sony films; Fury, Annie, Mr. Turner, Still Alice, and To Write Love On Her Arms. Of 
these five films Fury was the only movie to have been released and was still in 
theatres. On December 1, the salaries of the top 17 Sony executives were leaked. 
Many mainstream news outlets published the list. Every few days after this a new batch 
of information was leaked including; personal information, performance evaluations, 
medical records, background checks, disciplinary letters, passport information, and more 
salaries. Personal emails from Sony’s studio chief Amy Pascal were released, which 
included nasty comments about celebrities, and even racist banter about President 
Obama, insinuating that he preferred movies about black people. This led Pascal to 
issue a public apology and many personal apologies as well. 

In a press release on December 19, 2014, the FBI stated, “As a result of our 
investigation, and in close collaboration with other U.S. government departments and 
agencies, the FBI now has enough information to conclude that the North Korean 
government is responsible for these actions.The Guardians of Peace identified 
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themselves as the attacker. This group had never been heard of before or since this 
cyberattack. The FBI released three reasons as part of the justification for naming North 
Korea. First, the technical analysis of the data deletion malware used was linked to 
additional malware that North Korea is known to have developed and used. Second, the 
FBI linked several Internet protocol (IP) addresses associated with North Korea to those 
IP addresses used in the attack. Third, the tools used had a stark resemblance to the ones 
used during the DarkSeoul attack that North Korea conducted against South Korea.^^^ 
Later that same day North Korea publicly “denied any involvement in the attack, but 
praised the hackers ... as having done a righteous deed.”226 

The FBI said that the cyber-attack conducted by North Korea was “intended to 
inflict significant harm on a U.S. business and suppress the right of American citizens to 
express themselves.” In a statement released on December 19, Secretary of Homeland 
Security Jeh Johnson said that the attack was not only against Sony but also against our 
freedom and way of life. On December 22, 2014, a spokesperson for the State 
Department said, “we are considering a range of options in response. We aren’t going to 
discuss publicly operational details about the possible response options.”229 The next day 
North Korea had a ten-hour Internet outage.230 The United States did not take 
responsibility for this, but an unnamed official was quoted saying, “accidents can 
happen.”231 That quote led many to believe that the United States had caused the Internet 
outage in North Korea. 


225 Update on Sony, FBI. 

226 Mark E. Manyin et al., North Korea: Back on the State Sponsors of Terrorism List? (CRS Report 
No. R43865) (Washington, DC: Congressional Research Service, 2015), 9, 
https://www.fas.org/sgp/crs/row/R43865.pdf. 

227 Ibid. 

228 “Statement by Secretary Johnson On Cyber Attack On Sony Pictures Entertainment,” U.S. 
Department of Homeland Security, December 19, 2014, http://www.dhs.gov/news/2014/12/19/statement- 
secretary-johnson-cyber-attack-sony-pictures-entertainment. 

229 Kristina Daugirdas and Julian Davis Mortenson, “United States Responds to Alleged North Korean 
Cyber Attack on Sony Pictures Entertainment,” The American Journal of International Law 109, no. 2 
(2015): 420, 

http://libproxy.nps.edu/login?url=http://search.proquest.com/docview/1717302701?accountid=12702. 

230 Ibid. 

231 Ibid. 


46 



On January 02, 2015, the White House issued additional economic sanctions 
against North Korea. Admiral Rogers, Commander USCYBERCOM and Director 
NSA, feels that the U.S. needs to ensure the world knows that the cyber-attack on Sony 
crossed the line.233 He said, “What concerned me was, given the fact that this is a matter 
of public record, if we don’t publicly acknowledge it, if we don’t attribute it and if we 
don’t talk about what we’re going to do in response to the activity ... I don’t want anyone 
watching thinking we have not tripped a red line, that this is in the realm of the 
acceptable.”234 Even with their leader feeling that not enough has been done in response 
to the cyber-attack, neither USCYBERCOM nor NSA had a public role to play in the 
investigation. There were reports, however, that the NSA had successfully gained access 
to North Korea’s computer systems recently, and some observers believed that should 
have allowed them to see the initial intrusion into Sony’s network.335 

The EBI Director, James Comey, made a statement saying that they believed the 
hackers gained access in September through a tactic called spear phishing.^^^ Spear 
phishing is when massive amounts of emails are sent with encrypted links trying to get an 
employee to click on one that would allow the hackers to gain access. According to 
Sony’s CEO, Michael Eynton, the company is a blameless victim, and Sony was prepared 
for conventional cybersecurity intrusions but that they had suffered “the worst cyber- 
attack in U.S. history.” EBI’s Assistant Director, Joseph Demarest, agreed with Eynton 
and told the Senate that “the malware that was used would have slipped, probably would 
have gotten past 90% of the net defenses that are out there today in private industry, and I 
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would challenge to even say government.” Even the spokesman for FireEye, a 
cybersecurity company, agreed stating that, “if a state actor wants to get in, he’ll get 

■yi.Q 

in.” The attack on Sony was carefully planned and would have put the cybersecurity of 
the U.S. government to the test. 

D. SUCCESS/FAILURE 

In the aftermath of the attack, the U.S. government opened an investigation. In 
order to determine whether this investigation was successful, a definition of a successful 
investigation must be established. The goal of an investigation should be to identify the 
who, what, when, why, and how of the attack. In order to gain the most accurate 
information the first step must include putting the proper agency in charge. 

The government is also interested in minimizing the effect of the attack, along 
with Sony. This requires the recovery of the information that was stolen and minimizing 
the distribution of what was not recovered. Additionally, the Sony case raises the issue of 
whether the government should work to close the security risk, ensuring that government 
systems would not be vulnerable to a similar attack, and coordinate with other companies 
to strengthen cybersecurity. 

The FBI took on the lead role and carried out a successful investigation. 
According to government policy, the Secret Service should have been the lead 
investigator for the computer intrusion portion of the attack.240 xhe FBI should have been 
the lead investigation for the copyright piracy and trade secret theft portion though. 
According to the USA Patriot Act, the USSS is the primary agency for investigating 
cyber-attacks.242 Primary jurisdiction for the three cyber-crimes was split between the 
Secret Service and the FBI, but the FBI conducted the investigation with little official 
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help from any other agencies. The Sony case thus raises the issue of whether the 
investigation should have been more of a joint effort. 

The next step for showing that the FBI conducted a successful investigation is to 
identify; the who, what, when, why, and how of the attack. The investigation carried out 
by the FBI identified all of these aspects in a timely manner with correct supporting 
evidence and updated the public with their findings. 

The who portion is straightforward; identify the person or persons responsible. In 
this case the Guardians of Peace identified themselves as the attackers. The attackers 
provided their name but the FBI was able to trace the attack back to North Korea even 
though North Korea would not take responsibility for the attack. 

The what is answered by looking at the attack itself and asking, what did it 
accomplish? The cyber-attack postponed the release and greatly reduced the profits made 
from the movie The Interview, and erased nearly half of Sony’s computers, and servers. 

The when is covered in the timeline, with the initial intrusion occurring in 
September 2014, through spear phishing, and the discovery of the attack on November 
24, 2014. The FBI was able to identify the initial intrusion and follow what the hackers 
did once they had access to the network. The FBI traced what the hackers did, allowing 
the case to be studies by cybersecurity experts to formulate defenses against it. 

The why, is the reasoning behind the attack. According to the FBI the attack was 
“intended to inflict significant harm on a U.S. business and suppress the right of 
American citizens to express themselves.” As noted above, U.S. officials concluded that 
the intent of the attack was not to specifically harm Sony but to coercively obstruct 
exercise of the First Amendment by a foreign power. 

The how portion of the investigation identified the initial access as a spear 
phishing attack in September and from there the attackers had access to the servers and 
the computers connected to those servers. Once the attackers had access all they had to do 
was avoid detection and carry out their plan. 
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This chapter has shown what happened leading up to, during, and after the eyber- 
attaek eondueted by North Korea against Sony. The exeeutives at Sony disregarded 
multiple warnings and threats that a eyber-attaek eould happen. The Sony ease, however, 
raises the question of whether the aetual attaek eould have been prevented at the time, 
insofar as a nation sueh as North Korea will have more resources at its disposal than a 
eompany, even as large a one as Sony. The after effeets on the attack caused more private 
companies to evaluate their own eyberseeurity, and to make ehanges they deemed 
appropriate. 
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V. CONCLUSION, POLICY RECOMMENDATIONS, AND 

EURTHER RESEARCH 


This thesis has discussed the available evidence to answer the question of whether 
the current cybersecurity responsibility allocation for DHS is optimal for achieving U.S. 
national cybersecurity objectives. This concluding chapter will offer a brief summary, 
followed by a discussion of possible policy recommendations for DHS, USSS, FBI, 
NSA/DOD, and DNI. The final section will identify areas that require further research to 
better understand the role of each of these organizations in cybersecurity. 

A. CONCLUSION 

This thesis examined the U.S. government’s delineation for the roles and 
responsibilities of cyber security. The evolution of technology and the advances in 
cyberspace have made cybersecurity a vital interest for national security. Cyberspace 
provides a means for people to collaborate from across the world. That ease of 
communication is both advantageous and dangerous, which is why cybersecurity is so 
important. Proper cybersecurity can mitigate the dangerous side of cyberspace. 

Chapter II identifies the evolution of cybersecurity laws and policies starting with 
the “Computer Security Act of 1987.” The evolution starts with basic computer 
regulations and continues with the creation of multiple groups to further regulate or 
protect the growing cyber world. The National Security Telecommunications and 
Information Systems Security Committee is the first such group that was started in 1990. 
In 1998, with the signing of “PDD/NSC-63: Critical Infrastructure Protection,” the 
physical protection of critical infrastructure was linked with protecting the same 
infrastructures from cyber-attacks. 

The devastating terrorist attacks on September 11, 2001, changed the way the 
world viewed security at all levels. These attacks led directly to the passing of the Patriot 
Act, which expanded the roles and responsibilities of most government agencies for 
security, including cybersecurity. Another effect from the attacks was the creation of 
DHS in order to protect the U.S. from any future terrorist attack. 
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The establishment of the Comprehensive National Cyber Security Initiative 
(CNCI) in 2008 was the next major step forward for national cybersecurity. CNCI 
establishes a first line of defense against cyber-threats in order to strengthen the future of 
cyber security. CNCI also stressed the importance of collaboration between the 
government and private sector. This is further stressed in 2015, by “E.O. 13691: 
Encouraging Private-Sector Cybersecurity Collaboration,” which identifies DHS as the 
liaison between the government and the private sector for cybersecurity and allows DHS 
to share classified information if deemed necessary. 

Chapter II also outlines DHS’s current cybersecurity mission along with the 
Secret Services mission under DHS. DHS is designated as the lead agency for national 
cybersecurity, and has established two main offices to support it. The Cyber Security 
Division focuses on collaboration and R&D to better secure the national computer 
network. The Office of Cybersecurity and Communications focuses on increasing the 
strength, resilience, and reliability of the national information infrastructure. The Secret 
Service has a cyber investigation mission. The mission is fulfilled through the Electronic 
Crimes Task Eorces that are designed to identify, prevent, interrupt, and investigate any 
cyber-attacks of financial or critical infrastructure systems. 

Chapter III briefly outlines the origin and the current cybersecurity missions for 
the EBI, NSA, DOD, and the DNI. The EBI is the primary agency for investigating 
cyber-crimes and cyber-attacks. The National Cyber Investigative Joint Task Eorce 
(NCIJTE) was established as the focal point for all cyber investigations. The NCIJTE also 
acts as a liaison between all levels of law enforcement and the Intelligence Community. 
In addition to NCIJTE, Cyber Task Eorces were also established in order to better 
coordinate cyber investigations at both the local and national level. 

The NSA and DOD cyber efforts are both led by the same person in a dual-hatted 

role. NSA’s mission is two-fold: Signals Intelligence (SIGINT) and Information 

Assurance. SIGINT is the gathering, processing intelligence and advising the appropriate 

entity about threats. Information Assurance is preventing unauthorized access to the 

government’s networks. Both of these mission support DOD’s efforts to defend their and 

the United States’ networks, and if necessary provide offensive cyber capabilities. The 
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intelligence for all cyber threats is fed to the Cyber Threat Intelligence Integration Center 
(CTIIC), which is led by the DNI. The DNI ensures that the intelligence that is received 
by CTIIC is processed and no link is missed and then provides that intelligence primarily 
to DHS, FBI, and DOD entities. 

Chapter IV looks at the Sony Pictures Entertainment cyber-attack from 2014, in 
order to identify whether the current allocation of cyber responsibilities is appropriate. 
The attack caused Sony to lose approximately half of their information from personal 
computers, company computers and servers. The information that included movie scripts, 
email exchanges, salaries, and over 47,000 Social Security numbers, was only deleted 
after the attackers copied it. Within hours of the attack the FBI was notified and started 
the investigation. Portions of the stolen information were released over the next several 
months. In a press release the FBI identified the attack as originating from North Korea, 
and stated that the intent was to attack the freedom of speech provided by the First 
Amendment. The investigation of the attack was a success for the FBI, which identified 
the who, what, where, when, why, and how in a timely manner and provided updates on 
the investigation to the public. 

B. POLICY RECOMMENDATIONS 

While no single case study can be definitive, the research of this thesis offers 
insight into the policy changes that could be enacted in order to enhance the national 
cybersecurity effort. The discussion of this section offers proposals that merit further 
assessment on the basis of a wider range of cases. 

I. DHS Cybersecurity Prevention Lead 

The case of the Sony attack suggests that greater focus is needed on prevention 
and defensive operations. DHS is in the best position to be the lead agency for defensive 
cybersecurity. Under CSD and SECIR, DHS could continue to coordinate and promote 
cooperation between different government agencies and the private sector. As part of this, 
InfraGard could be transferred from the FBI to DHS’s CSD. InfraGard is focused on 
preventing cyber-attacks and could be with the same entity that is in charge of preventing 
cyber-attacks. 
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The R&D section under CSD could expand its capabilities and continue its 
information sharing across government agencies and private industry lines. Cyber 
education could also become more of a priority to further cybersecurity and to assist in 
R&D. 

The Network Security Deployment, under CS&C, could create a backup National 
Cybersecurity Protection System as a way to mitigate damages from a successful cyber¬ 
attack. To test this and to identify more issues FNR could develop a “Cyber Red-Team” 
that would continually test the cybersecurity across the government and provide a 
detailed weaknesses list up DHS chain of command and to the government entity that 
was identified. The red team reports would lead to best practices for prevention, 
identification, mitigation, and re-establishment of a network that can be shared through 
the government and to the private sector. 

2. USSS Protection and Financial Missions 

The Secret Service has a very broad set of responsibilities and their cyber 
investigation portion is not up to the standards set by the FBI. The Secret Service could 
focus its efforts on the protection and financial crimes missions. The protection mission 
does not allow a single mistake. If there is a mistake made under the protection mission, 
then one or more people may be killed. The cyber investigation mission that the Secret 
Service currently has is a distraction from their two primary missions. Cybersecurity 
should play a part in their protection mission, but the cybersecurity role could be limited 
to what affects the people the USSS is protecting. A special section needs to be 
developed that will deal with cybersecurity under the Secret Service. The same agents 
that are protecting people cannot be the agents that are responsible for cybersecurity. The 
cybersecurity agents need to be specially trained personnel who only focus on 
cybersecurity. If there is a cyber-attack against a protected person, then the Secret Service 
should assist the FBI in the investigation. 

The financial mission is the founding mission for the Secret Service. They are the 
proven specialists in the financial crimes spectrum. Over 150 years has been dedicated to 
making the Secret Service the best financial investigation organization in the world. The 
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evolving cyber aspect of finances has made finances and cyber intertwined. The Secret 
Service needs to better develop financial cyber agents that can track down criminals in 
cyberspace. The existing ECSAP can be expanded to include two different tracks to 
develop cyber agents for protection and financial specialties. 

3. FBI Lead Cyber Investigator 

As seen in the Sony case, the FBI can conduct a successful national level 
investigation. The FBI’s NCIJTF is already the focal point for cyber investigations, 
because along with the 56 CTFs, NCFTA, and iGuardian, the FBI is the best established 
to be the lead investigation agency for all cyber-attacks and cyber-crimes. The laws and 
policies need to be updated so that the FBI is the lead investigation entity for cyber 
issues, and they would have the authority to investigate any crime associated with 
cyberspace. The ECTF from the Secret Service could be moved under NCIJTF to expand 
the capabilities. The FBI must also expand their training pipeline to better develop cyber 
specific agents. The cyber agents must be proficient in cyber security, and investigations. 

The agents working at CTFs must continually strive to further their cyber 
education for a better understanding of the crimes they investigate. CTFs serve as liaisons 
between local entities and national level entities for cybersecurity. This is a good 
arrangement, but they must remember to only focus on investigating cyber-crimes and 
not on preventing them, since DHS covers that portion. 

The FBI will also assist the Secret Service as requested for their cyber protection 
and financial missions. The cyber protection portion can be either preemptive or as part 
of an investigation. The financial collaboration would be for an investigation that needs 
both the Secret Service’s financial expertise and the FBI’s cyber expertise. 

4. NSA/DOD Maintain Mission and Expand Capabilities 

As seen in Chapter III the NSA and DOD are the main entities that look out 
towards other countries as their primary focus. They are focused on intelligence 
gathering, and defensive and offensive cyber operations against foreign entities. This 
could remain the case, and neither entity should shift their focus to domestic 
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cybersecurity. The DOD should be primarily focused on other countries’ governmental 
and military cyber capabilities, and how to mitigate or interrupt them. The DOD should 
be the only cyber entity that will have offensive capabilities. The NSA and DOD should 
both focus on expanding their capabilities to ensure that they are ahead of our 
adversaries. 

5. DNI Expand CTIIC 

The DNI’s role in cybersecurity started little more than a year ago and is 
contributing to increasing the national cybersecurity objectives. The CTIIC has been a 
great start for its purpose, but it could easily provide more actionable intelligence. It is 
designed to process and disseminate intelligence, primarily to NCCIC, NCIJTF, and 
USCYBERCOM. Right now this is a one-way stream of information, but it needs to flow 
both ways. The CTIIC could not only receive information from the IC but could also 
receive information from its three main consumers. Additionally, a feedback system 
needs to be established for the main consumers to provide constructive criticism in order 
to make CTIIC better. 

C. FURTHER RESEARCH RECOMMENDATIONS 

The cyber world is constantly evolving, and will not stop changing. This means 
that current research will always be needed for cyber issues. Our adversaries are probing 
for our weaknesses and are developing new ways to exploit them through cyberspace. In 
order to expand our understanding of cybersecurity and to prevent our adversaries from 
getting an upper hand, further research is needed. The R&D that is being conducted for 
cyber capabilities needs to be better integrated. The possible ways to do this needs to be 
identified and best practices need to be established for sharing R&D information but also 
preventing that same information from getting into the hands of our enemies. 

Additional research is needed to determine the advantages and disadvantages in 
setting up an international cybersecurity sharing initiative. If the advantages outweigh the 
disadvantages, then how can it be established and governed? Should it be under the 
United Nations or is that too large of a group for honest sharing? 
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Cyber investigations need further researeh as well. How do they differ from other 
investigations? Is a eyber-erime always a federal investigation or what would make it a 
loeal or state level investigation and how should we develop the neeessary eyber 
eapabilities at the different levels? 

Finally, the role of USCYBERCOM should be evaluated to see if it ean offer 
improved support in oases suoh as the Sony haok. Current debates over whether it should 
remain where it is under U.S. Strategio Command or beeome its own oombatant 
oommand offer a timely opportunity to evaluate its interagenoy role. 
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